“Sign me in automatically” in Forms Authentication


image

Now this is not just limited to SharePoint, but, since my main focus is SharePoint, this is where I come across this issue the most. When you log in with SharePoint via Forms Based Authentication, there is that little “Sign me in automatically” checkbox below the FBA login form. If you check this, you may realize that a few hours later, when you go to log back into the site, it does not seem to actually remember you at all. That is because by default, it will only remember you for 30 minutes. We can change this quite easily however… This option is controlled within your web application configuration file (web.config) on the server.

If you open this file directly, search for <authentication mode=”Forms”> under <system.web>, you will see, by default, this:

<authentication mode="Forms">
<forms loginUrl="/_login/default.aspx" />
</authentication>

You can also look in IIS as well, under the Configuration Editor feature in the Management section of the web application

image

 

If we expand system.web, and click on authentication

image

Now, the two options we want to look at in here are timeout, and sliding expiration…

image

The definitions for both of these settings are below, taken from MSDN.

When the SlidingExpiration is set to true, the time interval during which the authentication cookie is valid is reset to the expiration Timeout property value. This happens if the user browses after half of the timeout has expired. For example, if you set an expiration of 20 minutes by using sliding expiration, a user can visit the site at 2:00 PM and receive a cookie that is set to expire at 2:20 PM. The expiration is only updated if the user visits the site after 2:10 PM. If the user visits the site at 2:09 PM, the cookie is not updated because half of the expiration time has not passed. If the user then waits 12 minutes, visiting the site at 2:21 PM, the cookie will be expired. (from: http://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.slidingexpiration.aspx)

The amount of time in minutes after which the authentication expires. The default value is 30 minutes. (from: http://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.timeout.aspx)

I suggest setting this to something much higher… if your users will generally log in once a month, setting this to a couple of months, will ensure they are remembered, and with sliding expiration configured, if they log in during the 3rd month, then the system will reset the time on that cookie, remembering them for another 3 months from that date. For sites which have users logging in less often, setting this to a year will be a decent bet that this will remember them for some time. A year in minutes would be: 525600

Hopefully this helps in your configuration of FBA for SharePoint, as well as other FBA applications.

About these ads

About Geoff Varosky
Geoff Varosky is a Managing Consultant at Jornata (www.jornata.com), a Microsoft Gold Partner focusing on SharePoint, Office 365, mobile technologies, and custom development solutions. Geoff is focused on delivering high value solutions to his customers in SharePoint and Office 365. He has been architecting and developing web based applications for over 16 years, and has been working with SharePoint for the past 10 years. Geoff is an active member of the SharePoint community, President and Co-Founder of the Boston Area SharePoint Users Group (www.bostonsharepointug.org), co-organizer for SharePoint Saturday Boston and speaks regularly at SharePoint events and user groups.

3 Responses to “Sign me in automatically” in Forms Authentication

  1. Rich Finn says:

    Hi Geoff,

    We’ve actually found that the regular asp.net forms settings in the web.config file don’t really apply to sp2010 FBA because of the usage of Claims Auth and the STS. This is especially true when it comes to the sliding expiration settings because of the multiple cookies that the STS uses to determine both the full token lifetime as well as the session lifetime. The implementation of a sliding session in 2010 is fairly complex and requires some global asax changes, and even then, the results don’t seem to be very consistent. After much trial and error using a combination of code from the following four posts, we did get it to work eventually.

    Federico Boerr: http://blogs.southworks.net/fboerr/2011/04/15/sliding-sessions-in-sharepoint-2010/

    Vittorio Betocci: http://blogs.msdn.com/b/vbertocci/archive/2010/06/16/warning-sliding-sessions-are-closer-than-they-appear.aspx

    Travis Nielson: http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=41

    Jalil Sear: http://jasear.wordpress.com/2011/01/10/sharepoint-2010-set-session-timout-on-a-fba-enabled-site/

    Rich Finn

    • Rich – thank you for the information! I have not tested the sliding sessions in great depth with Claims and FBA on 2010, the timeout is definitely functional.

  2. Pingback: SharePoint Daily

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,297 other followers

%d bloggers like this: